image
A state-sponsored threat group linked to China has been engaged in a five-month long cyberattack against the Vatican and other Catholic Church-related organizations. Attacks have come in the form of spear phishing emails laced with the PlugX remote access tool (RAT) as the payload. Researchers with Recorded Future observed the group, RedDelta, targeting the mail servers of Catholic organizations since early May 2020. That is ahead of the anticipated September 2020 renewal of the landmark 2018 China-Vatican provisional agreement, called the China-Holy See deal. The network intrusions occurred up until a week before China’s Foreign Ministry announced that the deal had been “implemented successfully” last week, on Sept. 10, saying a renewal of the deal is expected to be announced in the coming weeks – at which point the threat activity observed died off, researchers said. Researchers believe that this targeting of the Vatican and other entities related to the Catholic church would likely offer RedDelta insight into the negotiating position of the Holy See ahead of the deal’s September 2020 renewal. “RedDelta has largely remained unperturbed by the extensive public reporting on its targeting of the Vatican and other Catholic organizations,” according to researchers with Recorded Future’s Insikt Group in a report released Tuesday. “Despite taking basic operational security measures through changing the resolution status of command and control (C2) domains in the immediate…

Source

image
The first half of 2020 saw a significant uptick in the number of distributed denial-of-service (DDoS) attacks compared to the same period last year — a phenomenon that appears to be directly correlated to the global coronavirus pandemic. Neustar’s Security Operations Center (SOC) saw a 151 percent increase in DDoS activity in the period, including one of the largest and longest attacks that Neustar has ever mitigated – that attack came in at 1.17 terabits-per-second (Tbps), and lasted five days and 18 hours. “These figures are representative of the growing number, volume and intensity of network-type cyberattacks as organizations shifted to remote operations and workers’ reliance on the internet increased,” the company noted in its first-half status report, released on Wednesday. Click to register. DDoS attacks are getting bigger, with what Neustar said is a “noticeable spike” in volume: The number of attacks sized 100Gbps and above grew a whopping 275 percent. Emblematic of this is a 2.3Tbps attack targeting an Amazon Web Services client in February – the largest volumetric DDoS attack on record. And the aforementioned 1.17Tbps attack was 192 percent bigger than the largest attack the company mitigated during the first half of 2019. That said, the increase in the total number of attacks was felt across all size categories, with even attacks sized 5Gbps increasing by more than 200 percent. Overall, small attacks sized 5Gbps and below represented 70 percent of all attacks…

Source

image
The Department of Justice (DoJ) has indicted two hackers – including one teenager – for allegedly vandalizing more than 50 websites hosted in the U.S. with pro-Iran messages. The indictment, unsealed on Tuesday, indicts Behzad Mohammadzadeh, a national of the Islamic Republic of Iran who is believed to be 19 years old, and Marwan Abusrour, a stateless national of the Palestinian Authority, who is believed to be 25 years old. Both were charged on one count of conspiring to commit intentional damage to a protected computer and one count of intentionally damaging a protected computer. The defendants are believed to be living in Iran and Palestine and are wanted by United States authorities. Click to register. “These hackers are accused of orchestrating a brazen cyber-assault that defaced scores of websites across the country as a way of protesting and retaliating against the United States for killing the leader of a foreign terrorist organization,” said Joseph Bonavolonta, special agent in charge of the FBI Boston division, in a Tuesday statement. “Now, they are wanted by the FBI and are no longer free to travel outside Iran or Palestine without risk of arrest.” The website defacement came after conflict between the U.S. and Iran peaked earlier in 2020, when U.S. drones on Jan. 3 killed Qassem Soleimani, an Iranian general with the Islamic Revolutionary Guard Corps who was highly esteemed in Iran. On the heels of Soleimani’s killing, Iranian leaders vowed retaliation. On the…

Source

image
Most cybersecurity professionals fully anticipated that cybercriminals would leverage the fear and confusion surrounding the COVID-19 pandemic in their cyberattacks. Of course, malicious emails would contain subjects relating to COVID-19. Of course, malicious downloads would be COVID-19 related. This is how cybercriminals operate. Any opportunity to maximize effectiveness, no matter how contemptible, is taken. While many have anecdotally suggested ways in which COVID-19 related cyberattacks would unfold, we have little data supporting the actual impact of COVID-19 on cybersecurity. Several have reported that the number of malicious emails with the subject related to Covid-19 has grown several hundred percent and that the majority of COVID-19 related emails are now malicious. Beyond the anticipated increase in COVID-19 related malicious emails, videos, and an array of downloadable files, which we all anticipated, what else is going on behind the scenes? Interestingly, cybersecurity company Cynet has just released a report (download here) detailing changes in cyberattacks they’ve observed across North America and Europe since the beginning of the COVID-19 pandemic. The report shares several interesting data points and findings, such as the cyberattack volume change observed in various industry sectors, the increased use of spearphishing as an initial attack vector, and the approaches being used to distribute malware in spearphishing attacks. The two more interesting findings…

Source

image
A team of academic researchers have discovered a Bluetooth Low Energy (BLE) vulnerability that allows spoofing attacks that could affect the way humans and machines carry out tasks. It potentially impacts billions of Internet of Things (IoT) devices, researchers said, and remains unpatched in Android devices. The BLE Spoofing Attacks (BLESA) flaw arises from authentication issues in the process of device reconnection — an area often overlooked by security experts. Reconnections occur after two devices are connected and then one moves out of range (or disconnects) and then connects again, according to a paper published recently by researchers at Purdue University. Reconnections are common in industrial IoT environments, for example, where sensors may periodically connect to a server to transmit telemetry data, for instance, before disconnecting and going into monitoring mode. A successful BLESA attack allows bad actors to connect with a device (by getting around reconnection authentication requirements) and send spoofed data to it. In the case of IoT devices, those malicious packets can convince machines to carry out different or new behavior. For humans, attackers could feed a device deceptive information. The vulnerability is particularly significant due to the ubiquity of the BLE protocol which, because of its energy efficiency and simplicity of use, is used by billions of devices to pair and connect, said the team—comprised of researchers Jianliang Wu, Yuhong, Vireshwar,…

Source

image
A pair of healthcare-related data breaches at high-profile government agencies has impacted tens of thousands of people. First, a cyberattack at the U.S. Department of Veterans Affairs (VA) has impacted about 46,000 veterans, exposing their financial information. And another incident, at the U.K.’s National Health Service, exposed personal information for 18,105 Welsh citizens. Vets Caught Up in Financial Breach In the first instance, an internal tool used by the VA’s Financial Services Center (FSC) was hacked and used to intercept and steal funds that had been earmarked as payments to community healthcare providers, it said. The VA’s coverage of these payments is handled by the software tool, which contains veterans’ financial data, Social Security numbers and more. Click to register. “The exposure could have been much greater. It’s likely that security technology was in place which detected a high volume of record changes in this event as the threat actor was editing the individual financial records to divert the payments,” Ilia Sotnikov, vice president of product management at Netwrix, said via email. “Any time there is heavy, unusual activity the likelihood of a breach is high.” The FSC took the application offline once the unauthorized access was discovered – no timeline for when the breach occurred has been given. “A preliminary review indicates these unauthorized users gained access…by using social-engineering techniques and exploiting authentication protocols,”…

Source

image
Quick Response (QR) codes are booming in popularity and hackers are flocking to exploit the trend. Worse, according to a new study, people are mostly ignorant to how QR codes can be easily abused to launch digital attacks. The reason QR code use is skyrocketing is tied to more brick-and-mortar businesses are forgoing paper brochures, menus and leaflets that could accelerate the spread of COVID-19. Instead they are turning to QR codes as an alternative. MobileIron warns that these QR codes can be malicious. In a study released Tuesday, the mobile device management firms found that 71 percent of survey respondents said they cannot distinguish between a legitimate and malicious QR code. QR codes – the “QR” is short for “quick response” – allows a user to scan a special code with their phone’s camera, to automatically perform an action. These shortcuts usually open a website, but can be programmed to perform any number of mobile actions, including drafting emails, placing calls, opening marketing collateral, opening a location on a map and automatically starting navigation, opening a Facebook, Twitter or LinkedIn profile page or starting any action from any app (such as opening PayPal with a pre-seeded payment handle). According to a survey from MobileIron, of more than 2,100 consumers across the U.S. and the U.K., QR codes are becoming fully entrenched in people’s lives, especially as the coronavirus pandemic continues to rage on. Sixty-four percent of respondents said that QR…

Source

image
IBM has issued fixes for vulnerabilities in Spectrum Protect Plus, Big Blue’s security tool found under the umbrella of its Spectrum data storage software branding. The flaws can be exploited by remote attackers to execute code on vulnerable systems. IBM Spectrum Protect Plus is a data-protection solution that provides near-instant recovery, replication, reuse and self-service for virtual machines. The vulnerabilities (CVE-2020-4703 and CVE-2020-4711) affect versions 10.1.0 through 10.1.6 of IBM Spectrum Protect Plus. Click to Register The more serious of the two flaws (CVE-2020-4703) exists in IBM Spectrum Protect Plus’ Administrative Console and could allow an authenticated attacker to upload arbitrary files – which could then be used to execute arbitrary code on the vulnerable server, according to researchers with Tenable, who discovered the flaws, in a Monday advisory. The bug ranks 8 out of 10 on the CVSS scale, making it high-severity. This vulnerability is due to an incomplete fix for CVE-2020-4470, a high-severity flaw that was previously disclosed in June. An exploit for CVE-2020-4470 involves two operations, Tenable researchers said: “The first operation is to upload a malicious RPM package to a directory writable by the administrator account by sending an HTTP POST message to URL endpoint https://<spp_host>:8090/api/plugin,” they said. “The second operation is to install the malicious RPM by sending an HTTP POST message to URL endpoint…

Source

image
Proof-of-concept (PoC) exploit code has been released for a Windows flaw, which could allow attackers to infiltrate enterprises by gaining administrative privileges, giving them access to companies’ Active Directory domain controllers (DCs). The vulnerability, dubbed “Zerologon,” is a privilege-escalation glitch (CVE-2020-1472) with a CVSS score of 10 out of 10, making it critical in severity. The flaw was addressed in Microsoft’s August 2020 security updates. However, this week at least four public PoC exploits for the flaw were released on Github, and on Friday, researchers with Secura (who discovered the flaw) published technical details of the vulnerability. “This attack has a huge impact: It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain,” said researchers with Secura, in a Friday whitepaper. “The attack is completely unauthenticated: The attacker does not need any user credentials.” Click to register. The flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication. Specifically, the issue exists in the usage of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each “byte” of plaintext have a randomized initialization vector (IV), blocking attackers from guessing passwords. However,…

Source

image
Bugs in the multi-factor authentication system used by Microsoft’s cloud-based office productivity platform, Microsoft 365, opened the door for hackers to access cloud applications via a bypass of the security system under, according to researchers at Proofpoint. The flaws exist in the implementation of what is called the WS-Trust specification in cloud environments where WS-Trust is enabled and used with Microsoft 365, formerly called Office 365. WS-Trust is an OASIS standard that provides extensions to WS-Security and is used for renewing and validating security tokens, brokering trust relationships – part of a secure message-exchange architecture. The Organization for the Advancement of Structured Information Standards (OASIS), is a non-profit consortium that promotes open standards in security. Click to Register The issue, researchers said, is that WS-Trust is an “inherently insecure protocol” and that Microsoft Identity Providers (IDPs) implemented the specifications with various bugs. “Due to the way Microsoft 365 session login is designed, an attacker could gain full access to the target’s account (including mail, files, contacts, data and more),” Itir Clarke, senior product marketing manager for Proofpoint’s Cloud Access Security Broker, in a report posted online Tuesday. “Furthermore, these vulnerabilities could also be used to gain access to various other Microsoft- provided cloud services, including production and development environments such as Azure and…

Source